Ransomware - First steps to take after identifying an infection

Ransomware - First steps to take after identifying an infection

This is Part 3 of our Ransomware series (read Part 1 and Part 2 here), in which we’ll outline the first steps you need to take after identifying ransomware on your systems. 

By Matthew Holley

Lead Response Consultant

15 May 2018

Whether it is yourself finding that nasty ransom note on your computer or it’s your employees reporting a suspected infection – there are a few first steps you can take in order to contain and remediate the infection and make sure the incident causes as little harm as possible. 

This post is split into two sections, one aimed at the C-Level within businesses seeking general advice on which first steps they need to take in order to minimise the consequences of an attack and one aimed at internal IT teams having to deal with the infection. 

You can jump to either one of the sections by clicking the links below: 

Advice for the C-Level 

Don’t panic and don’t pay 

Our first piece of advice for when you find that your systems have been infected with ransomware is to not panic and take a deep breath – it has happened to many organisations before and it doesn’t mean your business is going to make the headlines in tomorrow’s news. 
If you have received a ransom note, be careful not to let threats or accusations shame you into paying the ransom and don’t contact any numbers or follow any links displayed in the note that are offering to resolve the problem. In many cases, these links and numbers are often just alternative money making phishing mechanisms. 

Notify your IT team and consider getting external help

Notify your IT team immediately (if this hasn’t been done already) to make sure any actions to consolidate the infection can be taken as soon as possible. See our technical guidance for IT teams here
If you have the resources to do so, you may also want to consider calling an external expert as well. In many cases, a specialist security firm with experience in cyber incident response will be far more adept at dealing with this kind of incident than your internal IT teams may be. They will be able to investigate the extent of the problem and determine what next steps will need to be taken.

Act quickly and  have a PR plan

A swift response is crucial to minimising the potential impact of an attack. The longer it takes to identify the source of infection and contain its movement across your networks the worse could the potential consequences be. In addition to that, the ransom could just be a cover for another attack seeking to exfiltrate your client data. It is recommended that organisations have a rehearsed response plan in place for such an attack to ensure effective action.

Try to keep knowledge of the ransomware infection to limited parties within the organisation to reduce the chance of information being leaked to the press. To prepare for the possibility of news of the infection spreading to the press or other external parties, it is recommended that a suitable communications template or statement be created which can then be released accordingly.

Make sure to comply with regulatory and legal requirements

Be aware that ransomware can potentially affect some of your client data in which case you will need to comply with regulatory and legal requirements, such as the Data Protection Act (DPA) and especially the upcoming General Data Protection Regulation (GDPR), which comes into effect at the end of this month. In some cases, this means you will have to notify authorities and any affected individuals within 72 hours of first becoming aware of the breach to avoid penalties1.

Technical guidance for IT teams

Much of the steps to contain ransomware and general malware are similar. However, unlike general malware, ransomware leaves victims with encrypted files, or data in an unusable state, and they usually cannot be easily recovered, if at all.

Primary Tasks

The following points are a list of recommendations that can be applied to ransomware infections:

  1. Physically isolate and shutdown the identified host from the network

    This is a critical step, and one that should be completed as soon as possible. Given the prevalence of worming ransomware recently (as with WannaCry exploiting a vulnerability in a core Windows component), without this step, the business could be faced with a magnitude of systems becoming infected.

    To accomplish this, well-tested procedures should be implemented (that may include technical elements, such as a Network Access Control (NAC) solution) that would disconnect hosts from the network when required, and include alerting users to the current situation (for example why they may not be able to connect to certain shares).
     
  2. Disconnect shares being encrypted via the network, or disable write access

    Do this if possible; this will limit any new files from becoming encrypted. This is a business decision that should be considered, and could be influenced by the number of users accessing the file share, the time of day, and any number of service level agreements.

    If the network share cannot be disconnected, limit access by revoking permissions to the shares based on the findings of the investigation as much as possible, this may include disabling write permissions so users can still access files by limits further encryption.

    The next step is to make sure the encryption process has stopped. If it has not, the infection is most likely on the server, and so should be shut down to stop the encryption process.
     

Secondary Tasks 

With the spread of infection limited and the source host isolated, the following tasks can be taken at a slower pace:

  1. Identify the ransomware family

    Analyse with a sandbox; Identifying the strain or type of ransomware can be a complex process, however, there are lots of tools and information to assist in this. These can include sandboxes such as Context’s own CAPE (https://cape.contextis.com/) which provides detailed technical analysis of the malware sample, or a more general overview with Chronicles’ Virus Total (https://www.virustotal.com/).

    Check the file extension using Google: As simple as it may seem, if it’s been around for a while, it’s likely that there’s a wealth of information that’s already readily available. File extensions alone can be an identifier of the type of ransomware family, and in many cases this is the intended effect. It makes it easier for a victim to pay up (which we do not recommend! Why paying up, doesn’t pay off).

    Third-party websites such as https://id-ransomware.malwarehunterteam.com/ provide a quick way to identify what type of infection you have by providing the ransom note, a sample encrypted file, or address found in the ransom note.
     
  2. Clean-up

    Recovery of the host back to a clean state before being reconnected back to the network is a must. This usually consists of completely wiping the system and restoring from a gold image, rather than removing the files known to be associated with the infection. Reimaging is becoming a faster process than it has in the past, and is the preferred reliable method of clean-up, especially given the growing prevalence of malware affecting hard drive boot sectors which means malicious code persists even if the operating system is rebuilt.
     
  3. Recover encrypted files from a known safe date

    The company backup strategy influences the recovery process. Hopefully a well implemented (and well tested) backup process will be the key to retrieving lost files, but if not, tools exist which could assist in decrypting files from certain ransomware families. Whilst this is sometimes an option, this should not be relied upon as more often than not, a tool does not exist, as encryption implementations within ransomware are getting stronger.

    There are several tools like this that are free to download and run, check with your AV vendor as they may already have one.

    The link below provides a 3rd party tool that supports decryption of several ransomware families. These tools exploit weaknesses in the encryption mechanisms that have been identified by security researchers, which may allow decryption of the files without paying the ransom: 
    https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

    If the backup process fails or there is not a backup process available, files may also be transferred to a clean system with an up-to-date antivirus. Files should be scanned upon copy to the new system, and avoid moving files that are no longer required.

Once you have contained and remediated a ransomware infection it is important to take any lessons you have learned from this experience and use them to prepare for the future. Steps that can be taken to prepare for the next ransomware attack or minimise the possibility of being hit by one will be discussed in our next and final part of our ransomware series.

References 

1) GDPR: https://gdpr-info.eu/art-33-gdpr/

Cape sandbox: https://cape.contextis.com/

Subscribe for more Research like this

Please type your first name
Please type your last name
Please enter a valid email address

About Matthew Holley

Lead Response Consultant

Matthew works in our Response team in London. See the contact page for ways to get in touch. 

CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor